On Mon, Jul 22, 2024 at 04:21:21PM +0200, Hannes Reinecke wrote: > + ret = nvme_auth_generate_digest(sq->ctrl->shash_id, psk, psk_len, > + sq->ctrl->subsysnqn, > + sq->ctrl->hostnqn, &digest); > + if (ret) { > + pr_warn("%s: ctrl %d qid %d failed to generate digest, error %d\n", > + __func__, sq->ctrl->cntlid, sq->qid, ret); > + goto out_free_psk; > + } > + ret = nvme_auth_derive_tls_psk(sq->ctrl->shash_id, psk, psk_len, > + digest, &tls_psk); > + if (ret) { > + pr_warn("%s: ctrl %d qid %d failed to derive TLS PSK, error %d\n", > + __func__, sq->ctrl->cntlid, sq->qid, ret); > + goto out_free_digest; > + } This reuses 'psk' as both an HMAC key and as input keying material for HKDF. It's *probably* still secure, but this violates cryptographic best practices in that it reuses a key for multiple purposes. Is this a defect in the spec? - Eric